Hackers are abusing the reliable OAuth redirection mechanism to bypass phishing protections in e mail and browsers to take customers to malicious pages.
The assaults goal authorities and public-sector organizations with phishing hyperlinks that immediate customers to authenticate to a malicious utility, Microsoft Defender researchers say.
with e-signature requests, Social Safety notices, assembly invites, password resets, or varied monetary and political matters that include OAuth redirect URLs. Typically, the URLs are embedded in PDF recordsdata to evade detection.
Supply: Microsoft
Forcing dangerous redirections
OAuth functions are registered with an id supplier, resembling Microsoft Entra ID, and leverage the OAuth 2.0 protocol to acquire delegated or application-level entry to person knowledge and assets.
Within the campaigns noticed by Microsoft, the attackers create malicious OAuth functions in a tenant they management and configure them with a redirect URI pointing to their infrastructure.
The researchers say that even when the URLs for Entra ID appear to be reliable authorization requests, the endpoint is invoked with parameters for silent authentication with out an interactive login and an invalid scope that triggers authentication errors. This forces the id supplier to redirect customers to the redirect URI configured by the attacker.
In some circumstances, the victims are redirected to phishing pages powered by attacker-in-the-middle frameworks resembling EvilProxy, which might intercept legitimate session cookies to bypass multi-factor authentication (MFA) protections.
Microsoft discovered that the ‘state’ parameter was misused to auto-fill the sufferer’s e mail tackle within the credentials field on the phishing web page, growing the perceived sense of legitimacy.
Supply: Microsoft
In different situations, the victims are redirected to a ‘/obtain’ path that routinely delivers a ZIP file with malicious shortcut (.LNK) recordsdata and HTML smuggling instruments.
Opening the .LNK launches PowerShell, which performs reconnaissance on the compromised host and extracts the elements required for the following step, DLL side-loading.
A malicious DLL (crashhandler.dll) decrypts and hundreds the ultimate payload (crashlog.dat) into reminiscence, whereas a reliable executable (stream_monitor.exe) hundreds a decoy to distract the sufferer.
Supply: Microsoft
Microsoft means that organizations ought to tighten permissions for OAuth functions, implement sturdy id protections and Conditional Entry insurance policies, and use cross-domain detection throughout e mail, id, and endpoints.
The corporate highlights that the noticed assaults are identity-based threats that abuse an meant conduct within the OAuth framework that behaves as specified by the usual defining how authorization errors are managed via redirects.
The researchers warn that risk actors at the moment are triggering OAuth errors via invalid parameters, resembling scope or immediate=none, to drive silent error redirects as a part of real-world assaults.
Malware is getting smarter. The Purple Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your safety stack is blinded.
